livewire/livewire versions greater than 2.2.4 and less than 2.2.6 are affected by a data leakage vulnerability. The $this->validate() method, which is expected to return only the validated dataset, was returning all properties of the Livewire component. This regression introduced a security risk, allowing unvalidated data to be exposed, which could lead to unexpected behavior and potential security issues.

References

• livewire/livewire@6929f58
• https://github.com/FriendsOfPHP/security-advisories/blob/master/livewire/livewire/2020-09-22-1.yaml
• https://github.com/livewire/livewire/releases/tag/v2.2.6